5 Workplace Privacy Rules California Employers Must Follow

Many employers have policies stating that workers don't have an expectation of privacy when using company resources, such as computers, phones and e-mail programs. This type of policy is usually permissible in California, but employers must be aware of the state's stringent privacy rules that afford more protection to employees than federal statutes do.

The California Constitution identifies certain inalienable rights for citizens, including "pursuing and obtaining safety, happiness and privacy." Additionally, employees in the state are covered by various statutes that protect their privacy. For example, under the California Labor Code, employees can't be demoted, suspended or fired for engaging in lawful conduct during off-duty hours and while away from the worksite.

California workers also can't be discriminated against based on their political affiliation or political activity.

Here are five areas of workplace-privacy compliance that employers might be getting wrong.

1. Medical Information

"California employers should be mindful of privacy rights as they pertain to medical information," said Christopher Olmsted, an attorney with Ogletree Deakins in San Diego. For example, when requesting a medical certification for a leave of absence under the California Family Rights Act, an employer should not request any medical facts relating to the employee's condition. Similar restrictions apply to fitness-for-duty or other medical testing.

Furthermore, employers should take care to maintain the confidentiality of employee medical documents, he added. Medical records relating to workers' compensation claims, health insurance claims, and disability or medical leaves should be kept in a secure location that is accessible only to designated staff members.

Medical documents should be kept separately from personnel files, noted Steve Hernández, an attorney with Barnes & Thornburg in Los Angeles.

2. Social Security Numbers

All states have laws protecting personal data to some degree because the risk of identity theft is so high. California law provides specific protections for employee Social Security numbers, which can only be used in very limited circumstances, Hernández said. Full Social Security numbers can't be used as an employee identification number and aren't supposed to be put in anything that goes in mail or in other communications. 

3. Workplace Monitoring

California employers should exercise care in connection with workplace monitoring, such as video surveillance, e-mail monitoring, and listening to employee telephone conversations, Olmsted said. "Where employers have legitimate business purposes for such monitoring, it is a best practice to disclose the monitoring to employees in a handbook, memo, sign or by other means."

[SHRM members-only toolkit: Managing Workplace Monitoring and Surveillance]

Hernández noted that "monitoring" and "recording" are not the same thing. In California, no one should be recorded without consent, so it's not enough for a notice to state, "This call may be monitored for quality assurance purposes." If the call might also be recorded, the notice needs to say so.

Likewise, a convenience store camera may be placed in an obvious position to put employees on notice of the surveillance, but if the system records sound in addition to video, the employer needs to notify workers and obtain consent, he added.

4. Background Checks

California imposes limits on conducting background checks, such as credit- or criminal-history reports. In addition to being aware of federal rules on conducting background investigations, employers must also be aware of their responsibilities under the California Investigative Consumer Reporting Agencies Act and the California Consumer Credit Reporting Agencies Act.

Employers may often be required to obtain the employee's consent and disclose certain rights and procedures when conducting such investigations, Olmsted said.

The state recently enacted a "ban-the-box" law that prohibits employers from asking job applicants about their criminal history until after a conditional offer has been made.

5. Drug Testing

Employee privacy rights are implicated when businesses test for drugs, particularly when they have random drug testing programs, Olmsted said. "Due to privacy rights, employers should limit random drug testing to special circumstances, such as for safety-sensitive roles or when state or federal law may require such testing."

Drug tests qualify as a medical examination under California law. Employers can test potential new hires between the time a conditional offer has been made and the tentative start date, but, even then, there are specific steps and notification requirements that employers must follow, Hernández noted.  

Compliance Tips

When dealing with the maze of privacy issues that come up in the employment setting, it is a good idea to consult local counsel, Hernández said. The biggest issue for employers to be aware of is that any time they are dealing with an employee's private information, notice and consent are likely required.

Think of it like the Golden Rule, he said: "Don't do anything with someone else's records that you don't want done with yours."